December 12, 2019

December 11, 2019

Subscribe to Latest Legal News and Analysis

December 10, 2019

Subscribe to Latest Legal News and Analysis

December 09, 2019

Subscribe to Latest Legal News and Analysis

What’s Next After Facebook’s Record $5 Billion Fine and Cambridge Analytica?

Facebook is facing some big changes after the Federal Trade Commission (FTC) settled with the social media giant over charges that it violated an earlier consent agreement. The company will pay a penalty of $5 billion, which is not only the biggest privacy fine in history, but also, according to FTC commissioner Noah Phillips, “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.”

The order requires Facebook to make significant improvements in how it handles data privacy. Key changes include the creation of a privacy subgroup of Facebook’s board of directors to oversee data privacy, submission of quarterly privacy compliance statements that are independently certified by CEO Mark Zuckerberg and Facebook’s compliance officer(s), and a requirement that third parties with access to consumer information comply with the company’s terms, policies, and procedures. The order also mandates that an independent third-party assessor, approved by the FTC, provides quarterly assessments to the new privacy committee of Facebook’s Board.

The fine represents 9% of the company’s 2018 revenue. Critics in Congress and within the FTC’s ranks argued that the penalty barely touched Facebook’s profitability and did not force the company to stop collecting personal data. The two Democrats on the Commission, Rebecca Slaughter and Rohit Chopra, voted against the settlement, expressing the view that the order would not impose discipline on how Facebook treats data and privacy, and that Mark Zuckerberg should be held personally liable.

The FTC also launched an administrative complaint against now-bankrupt Cambridge Analytica (CA) “for its deceptive acts and practices to harvest personal information from Facebook users for political and commercial targeted advertising purposes.” The complaint alleges that CA collected Facebook profile data from 250,000-270,000 U.S. users plus 50-65 million of their Facebook friends without their consent.

The FTC further alleged that CA falsely claimed participation in the EU-U.S. Privacy Shield framework after the company neglected to renew its certification, which expired in May 2018. Under Privacy Shield rules, participants must affirm to the Department of Commerce, which oversees the program, that they will continue to apply the principles to personal information received during the time they participated in Privacy Shield. CA allegedly failed to do so while still claiming on its website that it adhered to Privacy Shield principles. In contrast with the Facebook settlement, the order individually names CA’s CEO, Alexander Nix, and its developer, academic researcher Aleksandr Kogan, for their personal involvement in the collection of Facebook members’ personal data.

Facebook’s privacy issues do not end with the FTC settlement. Facebook will also pay $100 million to the Securities and Exchange Commission (SEC) in a settlement announced on July 24, 2019 over charges that Facebook misled investors, presenting the risk of misuse of user data as hypothetical despite knowing about actual misuse for more than two years. Facebook is still under investigation by European data protection authorities in several member states for privacy violations under the General Data Protection Regulation (GDPR), under which fines can reach 4% of global profits. The FTC is also not done with Facebook; the agency is currently investigating the company for antitrust violations. Meanwhile, financial regulators have expression wariness of Facebook’s announced foray into cryptocurrencies.

Some advocacy groups denounced the settlement as not going far enough. The Electronic Privacy Information Center (EPIC) filed a Motion to Intervene in United States v. Facebook, calling the settlement “not adequate, reasonable, or appropriate.” EPIC claims the settlement would “extinguish more than 26,000 consumer complaints against Facebook that are pending at the FTC,” and asked the court to allow EPIC and other concerned organizations to have a chance to put their views before the FTC before the settlement is finalized.

Facebook still faces a bumpy enforcement road ahead, but the settlement with the FTC will likely have further ripples around the world for all international players. For example, as EU regulators continue their investigation of Facebook and other tech companies for alleged violations of the GDPR, we can expect that the FTC settlement will provide a benchmark they will try to beat to claim the title of “biggest penalty” for privacy violations worldwide. Investments in data privacy and security will continue to be an ever-larger component of corporate compliance programs.

© 2019 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association

202-434-4234